Re: features, use, deployment?

Jueneman@gte.com
Fri, 16 Feb 1996 14:42:48 EST
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Michael Elkins: "Re: Context sensitive encryption"
Maybe in reply to: Dave Crocker: "features, use, deployment?"
>Well, we've gotten some significant discussion about MSP, which isn't a
>major candidate for commercial Internet mail use, as nearly as I can tell.
>(I've asked several proponents to cite vendor product plans and none has
>yet appeared.)
>
>And we've had just a tad of discussion about PGP.  And perhaps a comment or
>two about S/MIME and MOSS.
>
>I'd like to hear comparative comments from folks and especially like to
>hear about usage experience and/or deployment plans.  Have any of the
>end-user folks done an evaluation and made a choice?  If so, why?  Any
>deployment activities done or underway?  How are they going?

The fact that the USG is going to require and use MSP essentially guarantees 
that there will be a number of vendors who will be stepping up to the plate, if 
they haven't already. (I don't stay very close to such things, but I thought 
that it was supposed to be included within Microsoft's Exchange, at least some 
day?) So on that basis I would vote to include MSP within the set of protocols 
to be discussed.

Summarizing Raph's very helpful analysis, it seems that (depending on your 
point of view):

1. S/MIME has pretty much done it right, with the exception of their 
multipart/alternative approach. (The argument I heard from one of the RSA guys 
at the RSA conference was that they didn't WANT anyone who didn't have a S/MIME 
reader to be able to read a signed message, for fear that it might have been 
tampered with and the user would never know -- and worse yet, might put an 
unwarranted amount of trust in it because of the unreadable stuff that was 
attached. I don't buy that argument -- compatibility and evolutionary 
installability is much more important. One of the major drawbacks I have heard 
stated about X.400 is that there isn't any graceful way to install it 
piecemeal. And doubling the size of every signed message that might have to be 
read by an unknown audience is completely unacceptable. However, discussions 
with potential vendors at the RSA conference convinced me that there are quite 
a few that may start work in earnest on S/MIME very soon if they haven't 
already, and that we might start seeing products by June or thereabouts. That's 
at least a good sign.

2. MOSS did it right with respect to the MIME encoding, but approximately half 
of the technical community still has grave reservations about their trust model 
and key distribution mechanisms. In addition, several months ago I sent out a 
rather desperate plea for anyone who was planning to implement MOSS on a PC 
(Windows 3.1 or Windows 95) and/or a MAC to please contact me. I got absolutely 
zero responses, other than from Ned Freed who was planning to incoporate it in 
his suite of gateway products. So I have to question whether MOSS is real.

3. PGP has cornered the market, at least in free encryption software. How and 
whether it can be integrated into a slick multimedia-capable product that will 
be sold and supported as a commercial product remains to be seen.

4. I believe that Motorola and a few other companies are actively selling 
PEM-based systems. Maybe PEM shouldn't be dismissed quite so casually, even 
though the use of single DES makes it somewhat suspect.

Finally, is it worth discussing some quasi-email products and protocols? Lotus 
Notes, for example? And how does S-HTTP and SSL fit into all of this? 

And taking a broader look at electronic documents in general, there is already 
a strong market requirement for digital signatures applied to SGML documents, 
and I foresee a time when the hypertext links in HTML are going to have to be 
made secure, so that you know that you are going after the right document URL, 
and after you got it, that it was the document version you (and the author) 
thought it was.  (This is the secure embedded URL problem, which is needed for 
secure incorporation by reference of other (external) documents, including 
X.509 certificates.)

Let's not get stuck with a totally "push" type of mentality with respect to 
e-mail, and especially attachments, when the web is moving very rapidly to a 
"pull" model. At present, I'm not aware of _any_protocol that handles this 
problem adequately.


Bob

Robert R. Jueneman
GTE Laboratories
40 Sylvan Road
Waltham, MA 02254
Jueneman@gte.com
1-617/466-2820

"The opinions expressed are my own, and may not 
reflect the official position of GTE, if any, on this subject."
Previous message: Michael Elkins: "Re: Context sensitive encryption"
Maybe in reply to: Dave Crocker: "features, use, deployment?"